1.01k likes | 1.32k Vues
The art of deception Kevin Mitnick.
E N D
PrefaceSome hackers destroy people´s files or entire hard drives, they are called crackers or vandals. Some novice hackers don´t bother learning the technology, but simply download hacker tools to break into computer systems; they are called scripts kiddies. More experienced hackers with programming skills develop hacker programs and post them to the Web and to bulletin board systems. And then are individuals who have no interest on technology, but use the computer merely as a tool to aid them in stealing money, good or services.
Back then we used the term hacker to mean a person who spent a great deal of time tinkering with hardware and software, either to develop more efficient programs or to bypass unnecessary steps and get the job done more quickly. The term has now become a pejorative, carrying the meaning of malicious criminal.
A company may have purchased the best security technologies that money can buy, trained their people so well that they look up all their secrets before going home at night, and hired building guards from the best security firm in the business. That company is still totally vulnerable. Part 1 Security´s weakest link: The human factor
I could often get passwords and other pieces of sensitive information from companies by pretending to be someone else and just asking for it. The human factor is truly security´s weakest link.Security is too often merely an illusion.Albert Einstein said: “Only two things are infinite, the universe and human stupidity, and I am not sure about the former
Anyone who thinks that security products alone offer true security is settling for the illusion of security.Security is not a product, it´s a process. Moreover, security is not a technology problem, it´s a people and management problem.The greater losses, the real threats, come from sophisticated attackers with well defined targets who are motivated by financial gains. These people focus on one target at time rather than, like the amateurs, trying to infiltrate as many systems as possible.
He had pulled off the biggest bank heist in history- and done without using a gun, even without a computer. Eventually made it into the pages of Guinness Book of World Records in the category of “biggest computer fraud.”
While amateur computer intruders simply go for quantity, the professional target information of quality and value.Technologies like authentication devices (for proving identity), access control (for managing access to files and system resources), and intrusion detention systems (the electronic equivalent of buglar alarms) are necessary to a corporate security program.
An adversary who wants your information can obtain it, usually in one of several different ways. It´s just a matter of time, patience, personality, and persistence. Or performing actions that create a security hole for the attacker to slip through, no technology in the world can protect a business.
Social engineers use deception practiced on your employees to bypass security technology.Successful social engineers have strong people skills. They are charming, polite, and easy to like –social traits needed for a establishing rapid rapport and trust.
We are not trained to be suspicious of each other. The attacker, understanding this common belief, makes his request sound so reasonable that it raises no suspicion, all the while exploiting the victim´s trust. That innocent that is part of our national character was evident back when computers were first being connected remotely. The goal was information freedom. One noted software libertarian, Richard Stallman, even refused to protect his account with a password.
The problem is the human factor. The people manning the machines. Airport officials can marshall the National Guard and install metal detectors and facial recognition systems, but educating the frontline security staff on how to properly screen passengers is much more like to help. The same problem exists within government, business, and educational institutions throughout the world.
Part 2 The art of the attackerIn reality penetrating a company’s security often starts with the bad guy obtaining some piece of information or some document that seems so innocent, so everyday and unimportant, the most people in the organization wouldn’t see any reason why the item should be protected and restricted.
An attacker is said to have burned the source when he allows a victim to recognize that an attack has taken place. Once the victim becomes aware and notifies other employees or management of the attempt, it becomes extremely difficult to exploit the same source in future attacks.Never end the conversation after getting the key information. Later, if the victims remember anything about what you asked, it will probably be the last couple of questions. The rest will usually be forgotten.
Head hunter firms use social engineering tactics to recruit corporate talent.A social engineer learns to sound like an insider.Just like the pieces of jigsaw puzzle, each piece of information may be irrelevant by itself. However, when the pieces are put together, a clear picture emerges.
Don´t give out any personal or internal company information or identifiers to anyone, unless his or her voice is recognizable and the requestor has a need to know.A well thought-out information security policy, combined with proper education and training, will dramatically increase employee awareness about the proper handling of corporate business information. A data classification policy will help you to implement proper control with the respect to disclosing information. Without a data classification policy, all internal information must be consider confidential, unless otherwise specified.
The Information Security Department needs to conduct awareness detailing the methods used by social engineers. One method, as described above, is to obtain seemingly nonsensitive information and use it as a poker chip to gain short-term trust. The person or the persons with the role and responsibility of drafting a data classification policy should examine the types of details that may be used to gain access for legitimate employees that seem innocuous, but could lead to information that is sensitive.
Every business has its enemies, too –attackers that target the network infrastructure to compromise business secrets. More importantly, develop a step-by-step procedure to positively identify whether a caller asking for phone number is really an employee. Accounting codes for workgroups and departments, as well as copies of the corporate directory (whether hard copy, data file, or electronic phone book on the intranet) are frequent targets of social engineers.
The safeguards should include maintaining an audit log that records instances when sensitive information is disclosed to people outside of the company.Information such as an employee number, by itself, should not be used as any sort of authentication. Every employee must be trained to verify not just the identity of a request, but also the requestor´s need to know.
Whenever asked a question or asked for a favor by a stranger, learn first to politely decline until the request can be verified. Then –before giving it to the natural desire to be Mr. Or Ms. Helpful –follow company policies and procedures with respect to verification and disclosure of nonpublic information.
Part 3 The direct attack: just asking for itMany social engineering attacks are intricate, involving a number of steps and elaborate planning, combining. A mix of manipulation and technological know-how. A skillful social engineer can often achieve his goal with a simple, straightforward, direct attack. Just asking outright for the information may be all that´s needed.
It´s human nature to trust our fellow man, especially when the request meets the test of being reasonable. Social engineers use this knowledge to exploit their victims and to achieve their goals. Except in times when the economy is very tight, people with good technical computer knowledge usually find their talents in high demand and they have little problem landing on their feet.
In spite of the myth of the paperless office, companies continue to print out reams of paper every day. Information in print at your company may be vulnerable, even if you use security precautions and stamp it confidential.
Security training with respect to company policy designed to protect information assets needs to be for everyone in the company, not just any employee who has electronic or physical access to the company IT assets. Never think any social engineering attacks need to elaborate ruses so complex that they´re likely to be recognized before they can be completed. Some are in and out, strike and disappear, very simple attacks that are more than… just asking for it.
A point to include in your security training: just because a caller or visitor knows the names of some people in the company, or knows some of the corporate lingo or procedures, Doesn’t means that he is who he claims to be. Security training needs to emphasize. When in doubt, verify, verify, verify.Today workers at every level, even those who don´t use a computer, are liable to be targeted.
Part 4 Building trust Why are social engineering attacks so successful? It isn´t because of people are stupid or lack common sense. But we, as human beings, are all vulnerable to being deceived because people can misplace their trust if manipulated in certain ways.
The social engineer anticipates suspicion and resistance, and he´s always prepared to turn distrust into trust. A good social engineer plans his attack like a chess game, anticipating the questions his target might ask so he can be ready with the proper answers.
When people don´t have a reason to be suspicious, it´s easy for a social engineer to gain their trust. Once he´s got your trust, the drawbridge is lowered and the castle door thrown open so he can enter and take whatever information he wants.There are enough female social engineers out there that you shouldn´t let your guard down just because you hear a woman´s voice. In fact, social engineers have a distinct advantage because they can use their sexuality to obtain cooperation
The sting technique of building trust is one of the most effective social engineers tactics. You have to think whether you really know the person you´re talking to. In some rare instances, the person might not be who he claims to be.Building a sense of trust doesn´t necessarily demand a series of phone calls with the victim.
Think of your own attitude when somebody you don´t know asks you for something. If a shabby stranger comes to your door, you´re not likely to let him in; if a stranger comes to your door nicely dressed, shoes shined, hair perfect, with a polite manner and a smile, you´re likely to be much less suspicious. What´s less obvious is that we judge people on the telephone the same way.
It´s natural for people to have a higher degree of acceptance for anyone who claims to be a fellow employee, and who knows company procedures and lingo.Credibility leads to trust.Rank has it´s privileges, in particular the privilege of not being challenged by the people of lower rank. Social engineers often use authority or rank in the corporate hierarchy as a weapon in their attacks on businesses.
That fellow employee you´ve never met in person but who has become a telephone friend may not be who he or she claims to be.Everybody should be aware of the social engineer´s modus operandi: Gather as much information about the target as possible, and use that information to gain trust as an insider. Then go for the jugular!Almost everyone in your organization needs training to protect the enterprise from industrial spies and information thieves.
Appropriate training for people who have trusted access to such information should be designed around the answers to these questions.When is the last time anyone in your organization checked to see if any sensitive information on your company´s intranet had inadvertently been made available through the public-access areas of your Web site?
Part 5 Let me help you We are all grateful when we´re plagued by a problem and somebody with the knowledge, skill and willingness comes along offering to lend us a hand. The social engineer understands that, and knows how to take advantage of it. He also knows how to cause a problem for you.. Then make your grateful when he resolves the problem… and finally play on your gratitude to extract some information or a small favor from you that will leave your company.
There are a lot of ways to crack into a company´s most secret files
Trojan Horse, a software application that did for Tom’s computer what the original deception did for the Trojans: It brought the enemy inside the camp.With the software running, Bobby was provided with complete control over Tom’s computer, an arrangement known as a remote command shell.
A Trojan Horse is a program containing malicious or harmful code, designed to damage the victim´s computer or files, or obtain information from the victim´s computer or network. Some trojans are designed to hide within the computer operating system and spy on every keystroke or action, or accept instructions over a network connection to perform some function, all without the victim being aware of its presence.
Late on the night that he conned his target into installing the Trojan Horse software, Bobby threw the cell phone into a Dumpster. Of course he was careful to clear the memory first and pull the battery out before he tossed.
The attacker spins a web to convince the target he has a problem that, in fact, doesn´t really exists –or, as in this case, a problem that has´t happened yet, but the attacker knows it will happen because he´s going to cause it. He then presents himself as the person who can provide the solution.An attacker who can make the target call him gains instant credibility.
REMOTE CONTROL SHELL A nongraphical interface that accepts text based commands to perform certain functions or run programs. An attacker who exploits technical vulnerabilities or is able to install a Trojan Horse program on the victims computer may be able to obtain remote access to a command shell.
REVERSE SOCIAL ENGINEERING A social engineering attack in which the attacker sets up a situation where the victim encounters a problem and contacts the attacker for help. Another form of reverse social engineering turns the tables on the attacker. The target recognizes the attack, and uses psychological principles of influence to draw as much information as possible from the attacker so that the business can safeguard targeted assets.
If a stranger does you a favor, then asks you for a favor, don´t reciprocate without thinking carefully about what he´s asking for.New employees are a ripe target for attackers. They don´t know many people yet, they don´t know the procedures or dos and don’ts of the company. And, in the name of making a a good first impression, they´re eager to show how cooperative and quick to respond they can be.
The most common information that a social engineer wants from an employee, regardless of his ultimate goal, is the target’s authentication credentials.Before new employees are allowed access to any company computer systems, they must be trained to follow good security practices, especially policies about never disclosing their passwords.
The company that doesn´t make an effort to protect its sensitive information is just plain negligent. The truth is that even those companies that do make an effort to protect confidential information may be at serious risk.
Under UNIX, the operating system maintains a password file which contains the encrypted passwords of everybody authorized to access the computer.DEAD DROP A place for leaving information where it is unlikely to be found by others. In the world of traditional spies, this might be behind a loose stone in a wall; in the world of the computer hacker, it´s commonly an Internet site in a remote country.
The strong desire to be a team player, which makes most people susceptible to deception. What she was sending out happened to be information that might have raised alarm bells with anyone knowing the value of the information-but how could a receptionist be expected to know which information is benign and which sensitive?
Everybody´s first priority at work is to get the job done. Under that pressure, security practices often take second place and are overlooked or ignored. Social engineers rely on this when practicing their craft.The default passwords for many operating systems, routers, and other type of products, including PBXs, are made available on line. Any social engineer, hacker, or industrial spy, as well as the just plain curious, can find the list at www.phenoelit.de/dpl/dpl.html
A company´s only effective defense is to educate and train your people, giving them the practice they need to spot a social engineer. Everyone in the organization must be trained to exercise an appropriate degree of suspicion and caution when contacted by someone he or she doesn´t personally know, especially when that someone is asking for any sort of access to a computer or network. As the Japanese say, business is war. Your business cannot afford to let down its guard. Corporate security policy must clearly define appropriate and inappropriate behavior.
There should be a base level of training that everyone in the company is required to complete, and then people must also be trained according to their job profile to adhere certain procedures that will work with sensitive information or are placed in positions of trust should be given addition specialized training.Never cooperate whit stranger who ask you to look up information.Any software program –even one that appears to do nothing at all- may not be as innocent as appears to be.
It´s not appropriate to make an absolute rule about “never”. Still, your security policies and procedures do need to be very specific about circumstances under which an employee may give out his or her password and –most importantly- who is authorized to ask for the information.Designate employees in each department who will handle all requests for information to be sent outside the group.